Last Updated: November 2025
summie B.V. ("summie", "we", "our", "us") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy describes how we collect, use, store and protect personal data when you use our website (summie.co), our apps and the summie collaboration platform for entrepreneurs and accountants ("Services").
This policy applies to:
· Entrepreneurs who use summie to manage receipts, invoices, documents and financial administration.
· Accountants and accounting firms who use summie to collaborate with clients and manage administrative workflows.
This Policy is drafted in accordance with the General Data Protection Regulation (GDPR) and relevant Dutch privacy laws.
Last Updated: November 2025
summie B.V. ("summie", "we", "our", "us") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy describes how we collect, use, store and protect personal data when you use our website (summie.co), our apps and the summie collaboration platform for entrepreneurs and accountants ("Services").
This policy applies to:
· Entrepreneurs who use summie to manage receipts, invoices, documents and financial administration.
· Accountants and accounting firms who use summie to collaborate with clients and manage administrative workflows.
This Policy is drafted in accordance with the General Data Protection Regulation (GDPR) and relevant Dutch privacy laws.
Privacy Policy - summie
Privacy Policy - summie
Last Updated: November 2025
summie B.V. ("summie", "we", "our", "us") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy describes how we collect, use, store and protect personal data when you use our website (summie.co), our apps and the summie collaboration platform for entrepreneurs and accountants ("Services").
This policy applies to:
· Entrepreneurs who use summie to manage receipts, invoices, documents and financial administration.
· Accountants and accounting firms who use summie to collaborate with clients and manage administrative workflows.
This Policy is drafted in accordance with the General Data Protection Regulation (GDPR) and relevant Dutch privacy laws.
Privacy Policy - summie
1. Who is responsible for your data?
1. Who is responsible for your data?
summie B.V.
Email: hello@summie.co
Entrepreneurs
For entrepreneurs using summie directly, summie B.V. is the data controller for processing that occurs within the platform.
Accountants & accounting firms
When an accounting firm uses summie to process documents and financial data for its clients:
· The accounting firm is the data controller for all financial and administrative data processed via summie.
· summie acts as a data processor under a Data Processing Agreement (DPA).
Certain processing operations—such as account creation, security logging, billing and fraud monitoring—may be independently controlled by summie.
summie B.V.
Email: hello@summie.co
Entrepreneurs
For entrepreneurs using summie directly, summie B.V. is the data controller for processing that occurs within the platform.
Accountants & accounting firms
When an accounting firm uses summie to process documents and financial data for its clients:
· The accounting firm is the data controller for all financial and administrative data processed via summie.
· summie acts as a data processor under a Data Processing Agreement (DPA).
Certain processing operations—such as account creation, security logging, billing and fraud monitoring—may be independently controlled by summie.
summie B.V.
Email: hello@summie.co
Entrepreneurs
For entrepreneurs using summie directly, summie B.V. is the data controller for processing that occurs within the platform.
Accountants & accounting firms
When an accounting firm uses summie to process documents and financial data for its clients:
· The accounting firm is the data controller for all financial and administrative data processed via summie.
· summie acts as a data processor under a Data Processing Agreement (DPA).
Certain processing operations—such as account creation, security logging, billing and fraud monitoring—may be independently controlled by summie.
2. Personal data we process
2. Personal data we process
We process only the personal data necessary for the proper functioning of the platform. Depending on your use of the Services, we collect the following categories:
A. Account & identity data
· Name
· Email address
· Phone number (optional)
· Business details (for accountants/firms)
· User roles and permissions
· Login and audit logs
B. Financial data
Processed only when you actively connect financial accounts or upload financial documents:
· Bank account identifiers (IBAN) provided via regulated connectivity providers
· Transaction details made available through these providers
· Transaction metadata: date, amount, description, counterparty
· Metadata needed to match transactions and documents
Collection method: Via PSD2-licensed Account Information Service Providers (AISPs) with your explicit consent.
C. Document data
· Uploaded receipts, invoices, statements, contracts and other administrative documents
· Extracted data obtained via document processing (OCR)
· Classification metadata for archive management
D. Technical & usage data
· Device type, OS, browser
· App version
· Error logs, crash logs and operational telemetry
· Security and access logs
E. Communication & support data
· Messages sent to our support team
· Information provided during onboarding
· Email correspondence
We process only the personal data necessary for the proper functioning of the platform. Depending on your use of the Services, we collect the following categories:
A. Account & identity data
· Name
· Email address
· Phone number (optional)
· Business details (for accountants/firms)
· User roles and permissions
· Login and audit logs
B. Financial data
Processed only when you actively connect financial accounts or upload financial documents:
· Bank account identifiers (IBAN) provided via regulated connectivity providers
· Transaction details made available through these providers
· Transaction metadata: date, amount, description, counterparty
· Metadata needed to match transactions and documents
Collection method: Via PSD2-licensed Account Information Service Providers (AISPs) with your explicit consent.
C. Document data
· Uploaded receipts, invoices, statements, contracts and other administrative documents
· Extracted data obtained via document processing (OCR)
· Classification metadata for archive management
D. Technical & usage data
· Device type, OS, browser
· App version
· Error logs, crash logs and operational telemetry
· Security and access logs
E. Communication & support data
· Messages sent to our support team
· Information provided during onboarding
· Email correspondence
3. Purposes of processing
3. Purposes of processing
We process your personal data for the following purposes:
A. To provide and operate the summie platform
· Create and maintain accounts
· Process financial documents and data
· Enable accountant–client collaboration
· Provide data extraction, classification and archive functionality
· Sync with supported accounting systems
B. To support B2B accountant usage
· Managing teams, permissions and client access
· Providing audit trails and activity logs
· Supporting migrations from legacy platforms
C. Platform security & fraud prevention
· Access control
· Monitoring suspicious activity
· Protecting user accounts and data
· Ensuring system integrity
D. Platform improvement
· Understanding usage patterns (anonymized where possible)
· Troubleshooting errors
· Optimising performance
· Enhancing feature functionality
E. Customer support
· Responding to questions
· Investigating issues
· Providing onboarding assistance
F. Legal and regulatory compliance
· Complying with data retention obligations (7-year financial data retention)
· Responding to government or supervisory authority requests
We process your personal data for the following purposes:
A. To provide and operate the summie platform
· Create and maintain accounts
· Process financial documents and data
· Enable accountant–client collaboration
· Provide data extraction, classification and archive functionality
· Sync with supported accounting systems
B. To support B2B accountant usage
· Managing teams, permissions and client access
· Providing audit trails and activity logs
· Supporting migrations from legacy platforms
C. Platform security & fraud prevention
· Access control
· Monitoring suspicious activity
· Protecting user accounts and data
· Ensuring system integrity
D. Platform improvement
· Understanding usage patterns (anonymized where possible)
· Troubleshooting errors
· Optimising performance
· Enhancing feature functionality
E. Customer support
· Responding to questions
· Investigating issues
· Providing onboarding assistance
F. Legal and regulatory compliance
· Complying with data retention obligations (7-year financial data retention)
· Responding to government or supervisory authority requests
4. Bank connections (PSD2)
4. Bank connections (PSD2)
How we access your bank data
summie connects to your bank account via PSD2-licensed Account Information Service Providers (AISPs). This is a secure, regulated method of accessing financial data.
Scope of access
What we access:
· Transaction history (typically last 90-180 days, depending on bank)
· Account holder name and IBAN
· Transaction details: date, amount, description, counterparty
What we do NOT access:
· Your bank login credentials or passwords
· Account balances (unless necessary for functionality)
· Personal bank messages or communications
Your control
· Revoke access anytime
· Access expiration: Bank connections typically expire after 90-180 days (bank dependent)
· Re-authorization: You'll be notified when access is about to expire
· Transparency: View which accounts are connected and when they were last synced
Your responsibility
· You are responsible for ensuring the correctness of the connected bank account
· You should review imported transactions for accuracy
· You remain responsible for your financial administration
Note: summie is not responsible for errors, delays or outages in data provided by banks or AISP providers.
How we access your bank data
summie connects to your bank account via PSD2-licensed Account Information Service Providers (AISPs). This is a secure, regulated method of accessing financial data.
Scope of access
What we access:
· Transaction history (typically last 90-180 days, depending on bank)
· Account holder name and IBAN
· Transaction details: date, amount, description, counterparty
What we do NOT access:
· Your bank login credentials or passwords
· Account balances (unless necessary for functionality)
· Personal bank messages or communications
Your control
· Revoke access anytime
· Access expiration: Bank connections typically expire after 90-180 days (bank dependent)
· Re-authorization: You'll be notified when access is about to expire
· Transparency: View which accounts are connected and when they were last synced
Your responsibility
· You are responsible for ensuring the correctness of the connected bank account
· You should review imported transactions for accuracy
· You remain responsible for your financial administration
Note: summie is not responsible for errors, delays or outages in data provided by banks or AISP providers.
5. Sharing personal data
5. Sharing personal data
We only share data with carefully selected third-party service providers that help us deliver the Services. We work exclusively with processors that meet strict security and privacy standards.
Categories of service providers
Cloud Infrastructure & Hosting
· Purpose: Secure data storage, processing and platform operation
· Location: Primarily EU/EEA data centers
· Security: Enterprise-grade encryption and access controls
Banking Connectivity Providers
· Purpose: Secure connections to financial institutions
· Regulation: Licensed under PSD2 as Account Information Service Providers (AISPs)
Document Processing Services
· Purpose: Optical Character Recognition (OCR) and automated data extraction
· Processing: Text recognition from receipts, invoices and documents
Authentication Services
· Purpose: Secure account creation and login
Error Monitoring & Diagnostics
· Purpose: Crash reporting, bug detection and platform stability
· Data: Technical logs and anonymized error reports
Communication Services
· Purpose: Transactional emails, notifications and updates
· Type: Account-related communications only (not marketing)
Professional Advisors
· Purpose: Legal, accounting, compliance and audit services
· Access: Strictly limited and under confidentiality agreements
Our safeguards
Data Processing Agreements: All service providers operate under GDPR-compliant Data Processing Agreements (DPAs)
Minimum access: Providers only access data necessary for their specific purpose
Security standards: All providers must meet our security and privacy requirements
Regular review: We continuously assess and audit our service providers
EU-focus: Where possible, we prioritize providers with EU/EEA data processing
We only share data with carefully selected third-party service providers that help us deliver the Services. We work exclusively with processors that meet strict security and privacy standards.
Categories of service providers
Cloud Infrastructure & Hosting
· Purpose: Secure data storage, processing and platform operation
· Location: Primarily EU/EEA data centers
· Security: Enterprise-grade encryption and access controls
Banking Connectivity Providers
· Purpose: Secure connections to financial institutions
· Regulation: Licensed under PSD2 as Account Information Service Providers (AISPs)
Document Processing Services
· Purpose: Optical Character Recognition (OCR) and automated data extraction
· Processing: Text recognition from receipts, invoices and documents
Authentication Services
· Purpose: Secure account creation and login
Error Monitoring & Diagnostics
· Purpose: Crash reporting, bug detection and platform stability
· Data: Technical logs and anonymized error reports
Communication Services
· Purpose: Transactional emails, notifications and updates
· Type: Account-related communications only (not marketing)
Professional Advisors
· Purpose: Legal, accounting, compliance and audit services
· Access: Strictly limited and under confidentiality agreements
Our safeguards
Data Processing Agreements: All service providers operate under GDPR-compliant Data Processing Agreements (DPAs)
Minimum access: Providers only access data necessary for their specific purpose
Security standards: All providers must meet our security and privacy requirements
Regular review: We continuously assess and audit our service providers
EU-focus: Where possible, we prioritize providers with EU/EEA data processing
6. Data retention
6. Data retention
Retention periods depend on your relationship with summie and legal obligations.
Account data
Retention period: As long as your account is active
Reason: Service provision
Financial documents & transactions
Retention period: 7 years after the relevant financial year
Reason: Dutch tax and accounting law (Belastingdienst)
Communication logs (in-app)
Retention period: 7 years (linked to administration)
Reason: Part of financial archive
Support tickets
Retention period: 2 years after closure
Reason: Customer service quality
Login & security logs
Retention period: 90 days
Reason: Security and fraud prevention
For accountants
When an accountant is the data controller, retention rules are defined by the accounting firm in accordance with professional standards and legal obligations.
Inactive accounts
If you have not logged in for 24 months, we may delete or anonymize your data, unless legal retention obligations apply (e.g., 7-year rule for financial data).
We will notify you before deletion via email.
After deletion
After the retention period ends, data is permanently and securely deleted.
Certain data may persist in backups for a short period (typically 30 days) according to our backup rotation policy, after which it is also deleted.
Retention periods depend on your relationship with summie and legal obligations.
Account data
Retention period: As long as your account is active
Reason: Service provision
Financial documents & transactions
Retention period: 7 years after the relevant financial year
Reason: Dutch tax and accounting law (Belastingdienst)
Communication logs (in-app)
Retention period: 7 years (linked to administration)
Reason: Part of financial archive
Support tickets
Retention period: 2 years after closure
Reason: Customer service quality
Login & security logs
Retention period: 90 days
Reason: Security and fraud prevention
For accountants
When an accountant is the data controller, retention rules are defined by the accounting firm in accordance with professional standards and legal obligations.
Inactive accounts
If you have not logged in for 24 months, we may delete or anonymize your data, unless legal retention obligations apply (e.g., 7-year rule for financial data).
We will notify you before deletion via email.
After deletion
After the retention period ends, data is permanently and securely deleted.
Certain data may persist in backups for a short period (typically 30 days) according to our backup rotation policy, after which it is also deleted.
7. Security
7. Security
We implement industry-standard technical and organizational measures to protect personal data, including:
Technical measures
· End-to-end encryption of data in transit (TLS 1.3)
· Encryption of data at rest (AES-256)
· Secure password hashing (bcrypt/Argon2)
· Strong Customer Authentication (SCA) for bank connections (PSD2)
· Firewall and intrusion detection systems
· Regular security updates and patching
· Secure API communication with authentication tokens
Organizational measures
· Strict access control: Only authorized personnel can access data, and only when necessary
· Role-based permissions: Different access levels for employees
· Confidentiality agreements for all employees and contractors
· Data Processing Agreements (DPAs) with all sub-processors
Monitoring & logging
· Continuous monitoring and alerting for suspicious activity
· Security logs retained for 90 days
· Regular review of access logs
Note: While we implement strong security measures, no system can be 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability.
We implement industry-standard technical and organizational measures to protect personal data, including:
Technical measures
· End-to-end encryption of data in transit (TLS 1.3)
· Encryption of data at rest (AES-256)
· Secure password hashing (bcrypt/Argon2)
· Strong Customer Authentication (SCA) for bank connections (PSD2)
· Firewall and intrusion detection systems
· Regular security updates and patching
· Secure API communication with authentication tokens
Organizational measures
· Strict access control: Only authorized personnel can access data, and only when necessary
· Role-based permissions: Different access levels for employees
· Confidentiality agreements for all employees and contractors
· Data Processing Agreements (DPAs) with all sub-processors
Monitoring & logging
· Continuous monitoring and alerting for suspicious activity
· Security logs retained for 90 days
· Regular review of access logs
Note: While we implement strong security measures, no system can be 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability.
8. Data breach response
8. Data breach response
In the event of a data breach that affects your personal data:
Our procedure
1. Immediate action: We will contain and investigate the breach
2. Risk assessment: We will evaluate the severity and impact
3. Authority notification: We will notify the Autoriteit Persoonsgegevens (Dutch DPA) within 72 hours if required
4. User notification: We will inform affected users without undue delay if there is a high risk to their rights and freedoms
5. Documentation: We will document the incident, impact, and remedial actions
6. Prevention: We will implement measures to prevent recurrence
What we will tell you
· Nature of the breach
· Categories of data affected
· Likely consequences
· Measures we have taken or plan to take
· Contact point for more information
In the event of a data breach that affects your personal data:
Our procedure
1. Immediate action: We will contain and investigate the breach
2. Risk assessment: We will evaluate the severity and impact
3. Authority notification: We will notify the Autoriteit Persoonsgegevens (Dutch DPA) within 72 hours if required
4. User notification: We will inform affected users without undue delay if there is a high risk to their rights and freedoms
5. Documentation: We will document the incident, impact, and remedial actions
6. Prevention: We will implement measures to prevent recurrence
What we will tell you
· Nature of the breach
· Categories of data affected
· Likely consequences
· Measures we have taken or plan to take
· Contact point for more information
9. Changes to this Privacy Policy
9. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect:
· Changes in the Services
· New legal requirements
· Improvements to our data practices
· User feedback
How we notify you
For significant changes:
· Email notification to all active users
· In-app notification when you next log in
For minor changes:
· Updated "Last Updated" date at the top of this policy
· Available on summie.co
Your options
If you do not agree with changes to this Privacy Policy:
· You may stop using the Services
· You may delete your account
· We will retain financial data for 7 years as legally required
Continued use of the Services after notification constitutes acceptance of the updated policy.
We may update this Privacy Policy from time to time to reflect:
· Changes in the Services
· New legal requirements
· Improvements to our data practices
· User feedback
How we notify you
For significant changes:
· Email notification to all active users
· In-app notification when you next log in
For minor changes:
· Updated "Last Updated" date at the top of this policy
· Available on summie.co
Your options
If you do not agree with changes to this Privacy Policy:
· You may stop using the Services
· You may delete your account
· We will retain financial data for 7 years as legally required
Continued use of the Services after notification constitutes acceptance of the updated policy.
10. Contact
10. Contact
If you have any questions about this Privacy Policy or how we handle your data:
Email: hello@summie.co
Response time: We aim to respond to all inquiries within 5 working days.
If your data is managed by an accountant
If you are a client of an accounting firm that uses summie, and your data is controlled by the accountant:
· Your accountant is the data controller
· We will forward your privacy request to the appropriate controller
· You should also contact your accountant directly
If you have any questions about this Privacy Policy or how we handle your data:
Email: hello@summie.co
Response time: We aim to respond to all inquiries within 5 working days.
If your data is managed by an accountant
If you are a client of an accounting firm that uses summie, and your data is controlled by the accountant:
· Your accountant is the data controller
· We will forward your privacy request to the appropriate controller
· You should also contact your accountant directly